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ABSTRACT 


Reliability  evaluation  of  fault  tolerant  control  systems  (FTCS)  that 
include  sequential  tests  for  failure  detection  and  identification  involve 
the  transient  analysis  of  finite-state  semi-Markov  chains  of  very  large 
dimension.  Such  models  for  the  time  horizons  of  interest  are  intractable 
even  for  simple  architectures.  This  has  motivated  the  work  summarized  in 
this  report  as  well  as  the  work  that  was  accomplished  under  a  previous  AFOSR 
grant. 

The  basis  for  the  work  is  the  idea  of  asymptotic  aggregation  of 
semi-Markov  chains  that  include  slow  and  fast  transitions.  The  extension  of 
earlier  asymptotic  aggregation  results  (primarily  due  to  Korolyuk)  to  models 
that  include  decomposed  classes  that  are  non-ergodic  and  the  subsequent 
application  of  these  results  to  FTCS  models  was  the  subject  of  studies 
conducted  under  the  previous  grant. 

The  research  efforts  reported  here  concentrate  on  the  application  of  the 
results  from  the  previous  study  to  more  general  FTCS  architectures.  A 
difficulty  is  pointed  out  in  using  the  limit  theorems  of  the  previous  work 
to  approximate  the  occupancy  probabilities  of  transient  states  that  have 
large  holding  times.  A  modified  algorithm  that  leads  to  better 
approximations  for  these  states  is  presented  in  this  report.  The  application 
of  this  modified  algorithm  to  the  nine  state  semi-Markov  reliabil'ly  model 
generated  by  a  simple  dual  redundant  system  is  then  discussed. 

Extension  of  the  limit  theorems  developed  in  the  earlier  work  to  models 
with  more  general  decomposed  classes  is  also  presented  in  this  report.  In 
particular,  the  results  are  extended  to  models  that  have  multiple 
trapping  states  within  each  decomposed  class. 
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1.  INTRODUCTION 


1 .  1  Motivation  and  Discussion  of  Problem 

The  work  discussed  in  this  report  relates  to  the  prediction  of  the 
reliability  and  other  performance  measures  for  complex  fault  tolerant 
systems.  The  criteria  by  which  the  design  of  a  fault  tolerant  system  is 
evaluated  are  usually  related  to  predicted  reliability  and  performance 
quantities.  Thus,  the  development  of  the  means  for  making  such  calculations 
has  become  a  major  concern  as  the  reliability  and  performance  requirements 
of  these  systems  have  been  made  more  demanding. 

One  method  that  has  proven  to  be  useful  for  evaluating  the  reliab  ility 
and  performance  of  a  fault  tolerant  system  is  the  use  of  finite  state  Markov 
and  semi-Markov  models  [1-6].  As  the  introduction  to  the  final  report  on  the 
previous  grant  [7]  points  out,  however,  four  basic  difficulties  to  the 
numerical  implementation  arise  when  generalized  Markovian  models  are  used  to 
represent  the  behavior  of  a  fault  tolerant  system: 

1.  The  dimension  of  the  model  is  typically  large,  even  for  relatively 
simple  architectures. 

2.  The  transient  behavior  of  the  model  is  the  behavior  of  interest 
because  the  operating  time  of  the  system  is  always  much  shorter  than  the 
time  necessary  for  all  the  components  fail  (which  is  the  steady  state 
condition).  Generating  numerical  results  for  the  transient  behavior  of 
generalized  Markovian  models  is  a  problem  for  which  few  short-cuts  exist. 

3.  Although  the  operating  times  of  interest  are  short  relative  to  the 
time  necessary  for  all  of  the  components  to  fail,  it  is  often  long  relative 
to  the  time  between  applications  of  the  failure  detection  tests  that  are  in 
use.  Thus,  we  are  often  interested  in  the  transient  behavior  of  a  Markovian 
model  after  many  thousands  of  time  steps. 
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4.  A  significant  time  scale  separation  exists  between  the  average  times 
necessary  for  a  failure  to  occur  and  the  average  time  necessary  for  the 
failure  detection  decisions  to  be  made.  However,  some  failure  detection 
decisions,  particularly  "false  alarm"  decisions  (a  decision  that  a  failure 
is  present  when  in  fact  one  is  not  present),  require  an  average  time  of 
considerable  length  relative  to  the  component  mean  time  to  failure. 

These  difficulties  make  the  problem  of  evaluating  such  quantities  as  the 
reliability  of  a  fault  tolerant  control  system  impractical  even  with 
powerful  digital  computing  machinery.  It  is  this  intractability  with  which 
this  study  (and  the  previous  study)  is  concerned. 

1. 2  Summary  of  Previous  Work 

The  four  difficulties  discussed  in  the  preceding  subsection  motivate 
the  development  of  approximate  strategies  to  quantitatively  solve  the 
Markovian  models  that  represent  fault  tolerant  systems.  Many  of  the 
approximate  techniques  (including  those  discussed  in  [7]  and  in  this  report) 
are  based  upon  the  exploitation  of  the  time  scale  separation  mentioned  in 
Comment  4  above.  The  basic  idea  is  to  aggregate  into  classes  the  states  of 
the  model  that  share  transitions  that  occur  in  the  fast  time  scale.  Then, 
the  transitions  between  the  classes  can  be  characterized  by  the  slow  time 
scale  behavior  while  the  behavior  within  each  class  is  assumed  to  be 
well-approximated  by  the  steady  state  behavior  of  the  class  with  slow 
transitions  neglected.  This  leads  to  two  types  of  Markovian  models  to  be 
solved,  each  of  relatively  small  dimension:  a  transient  model  that  evolves 
in  the  slow  time  scale  describing  the  interclass  transition  dynamics,  and  a 
steady  state  model  for  each  class.  The  approximate  behavior  of  the  original 
model  over  long  time  horizons  is  then  approximated  by  multiplying  the 
transient  probability  of  occupying  each  class  by  the  steady  state 
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probabilities  of  occupying  each  state  within  that  class. 

The  introduction  of  [7]  summarizes  much  of  the  work  done  by  other 
authors  on  the  problem  of  aggregating  finite  state  Markovian  models  to 
generate  approximate  solutions.  In  the  interest  of  brevity,  that  summary  is 
not  repeated  here.  The  interested  reader  is  referred  to  [7]. 

The  primary  contribution  of  the  work  reported  in  [7]  was  to  extend  some 
previous  results  (primarily  due  to  Korolyuk  [8,9])  to  situations  that  more  • 
accurately  reflect  the  types  of  models  that  represent  the  behavior  of 
fault-tolerant  systems.  In  particular,  the  work  summarized  in  [7]: 

•  Extended  Korolyuk’ s  theorems  to  time-scaled  models  that  do  not 
decompose  into  ergodic  decomposed  classes. 

•  Developed  the  discrete  time  versions  of  Korolyuk’ s  original  theorems 
and  the  discrete  time  analog  of  the  extension  to  models  with  nonergodic 
decomposed  classes. 

•  Applied  the  discrete  time  results  to  a  relevant,  though  simple, 
discrete  time  fualt  tolerant  system  model  for  which  exact  results  could 
also  be  generated. 

•  Made  a  preliminary  effort  to  extend  the  results  further  to  models 
that  include  decomposed  classes  with  multiple  trapping  states. 

As  was  pointed  out  in  [7],  these  contributions  make  feasible  the  use  of 
semi-Markov  reliability  models  as  a  design  tool  for  fault  tolerant  systems 
by  making  it  possible  to  approximately  solve  for  the  reliability  and  other 
performance  measures  efficiently. 

1 . 3  Research  Goals  of  Present  Work 

The  work  reported  here  was  motivated  by  two  shortcomings  of  the  work 
reported  in  [7].  One  is  alluded  to  in  the  contributions  summary  of  the 
previous  subsection.  The  other  relates  to  the  assumption  that  essentially 
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all  approximate  aggregation  strategies  make  regarding  the  strong  separation 
in  time  scales  of  the  slow  and  fast  transition  behavior. 

In  [7],  an  incomplete  proof  was  given  for  applying  the  approximate 
aggregation  results  to  models  that  yield  multiple  trapping  states  in  the 
decomposed  classes.  One  goal  of  the  work  reported  here  was  to  complete  this 
proof. 

The  other  shortcoming  in  the  results  of  [7]  relates  to  the 
numerical  results  that  were  obtained  for  a  model  that  represented  the 
behavior  of  a  simple  dual  redundant  system  used  in  a  primary-secondary  mode 
(cf.  Section  2.5.2  of  [7]).  If  a  decomposed  class  of  the  model  contains  at 
least  one  trapping  state  when  slow  transitions  are  neglected,  then  the 
steady  state  distribution  within  that  class  will  indicate  zero  probability 
for  any  state  that  is  transient.  Hence,  when  the  approximation  is 
constructed,  the  approximate  solution  predicts  zero  probability  for  these 
states.  This  is  not  a  good  approximation  if  these  states  have  average 
holding  times  that  are  a  significant  fraction  of  the  time  scale  over  which 
the  slow  transitions  occur,  as  would  be  the  case  for  a  fault  tolerant  system 
with  very  long  mean  times  to  false  alarm.  Much  of  the  work  reported  below  is 
an  effort  to  address  this  problem. 
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2.  PROGRESS  SUMMARY 


2. 1  Summary  of  Section 

This  section  summarizes  the  salient  aspects  of  the  work  carried 
out  during  the  one-year  period  of  the  grant.  Section  2.2  describes  the 
extension  of  earlier  limit  theorems  for  semi-Markov  chains  to  more  general 
case  that  includes  multiple  recurrent  subsets  in  decomposed  classes. 
Derivation  of  the  semi-Markov  model  for  a  simple  dual  redundant  system  is 
presented  in  section  2.3.  Application  of  the  earlier  limit  theorem  and  a 
modified  algorithm  developed  during  the  period  of  this  research  on  the 
resulting  nine  state  model  is  then  discussed  in  a  paper  that  is  included  as 
Appendix  A  and  summarized  in  section  2.4. 

2. 2.  Behavioral  Decomposition  of  Semi -Markov  Models  -  General  Case 

The  decomposition  of  semi -Markovian  models  that  include  fast  and  slow 

transitions  between  the  various  states  was  considered  by  Korolyuk  [8].  It 

was  shown  in  [8]  that  a  semi-Markov  chain  that  depended  on  a  small  parameter 

e  which  could  be  split  in  the  limit  as  e  0  into  a  disjoint  set  of 

non-communicating  classes  of  states  E  ,  k=l . m,  can  be  represented  by  a 

k 

m-state  Markov  chain  when  the  classes  are  ergodic.  Extension  of  this  result 
to  non-ergodic  classes  E^  that  included  one  irreducible  recurrent  subset  of 
states  was  given  in  [7J.  We  consider  below  more  general  classes  E^  and 
extend  the  limit  theorem  for  semi-Markov  processes  originally  considered  in 
[8]. 

Let  the  set  of  states  of  a  semi-Markov  process  that  depends  on  a  small 
parameter  e  be  split  into  disjoint  classes  of  states, 

m 

E  =  Y.  E,  (2.1) 

k 

k  =  l 

such  that  the  probability  of  departure  from  each  class  and  the  sojourn  time 
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in  a  given  state  tend  to  zero  along  with  e.  The  total  sojourn  in  each  class 
is  assumed  to  have  a  nondegenerate  distribution  in  the  limit  as  e  0. 

Further,  let  each  of  the  classes  be  split  into  a  set  of  transient  states  E 

t 

and  irreducible  recurrent  subsets  E  such  that, 

k 

1 

n 

E  =  E  +  £  (2.2) 

k  k.  k 

t  1  =  1  1 

where  n  may  in  general  be  different  for  various  classes.  Note  that  the 

recurrent  assumption  on  the  subsets  E  implies  that  these  subsets  are 

l 

ergodic.  We  derive  below  the  nature  of  the  inter-class  transitions  when  c 
tends  to  zero. 

Let  the  elements  of  the  transition  probability  matrix  (P^(t);  i, j  e 
E)  specifying  the  semi-Markov  process  depend  as  follows  on  the  small 
parameter  e: 

P*j(t)  =  FjjU/e)  ;  i,  j  e  E  (2.3) 


with, 


i  J 


(k)  (k)  .  . 

P|J-CqiJ  ; 

l  <’  ;  1  6  E„  '  J  *  E, 


(2.4) 


Here, 


(k) 


Zv 

pu 

e»  •* 


=  1  ,  i  6  E 


(2.  5 ] 


j€E 


Also,  since  each  E^  represents  an  irreducible  recurrent  subset  of  states, 

l 

we  have 


Z(k  )  4  — 

p.  ti  =  1  ,  i  6  E 

1 J  k 

J€E  1 

k 

1 


(2.  6) 


We  further  make  the  assumption  that  all  out  of  class  transitions  when 
e  0  take  place  only  from  the  ergodic  states  in  each  class.  Let  t(1)  be  the 

k  r 
1  v 

sojourn  of  the  semi-Markov  process  in  the  subset  E  of  class  k  when  it 

l 
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starts  from  the  state  ieE  and  moves  to  the  irreducible  recurrent  subset 

k 

1 

E  in  class  r.  The  transitions  from  the  subset  E  to  E  can  be  split  into 
r  k  r 

v  1  v 

direct  transitions  and  indirect  transitions  through  the  transient  set  E  in 

r 

t 

class  r  such  that: 


p(v. s  l}  ■  p{Tv! 3  ‘}  *  p{Tv! 3 


(2.  7) 


Here,  the  first  term  on  the  right  hand  side  of  (2.7)  represents  the  direct 
transition  sojourn  and  the  second  term  the  sojourn  for  a  transition  through 
the  transient  set  in  class  r. 


Let  denote  the  sojourn  of  the  semi-Markov  process  in  the  i-th 

state  with  distribution  F  (t),  while  5  are  the  indicators  of  transition 

U  U 

from  the  i-th  to  the  j-th  state.  Using  the  expression  for  total  probability, 
we  obtain  for  the  random  quantities  x<1)d 


k  r 


1  V 

•  *) 

=  E 

J€Ek 

1 

CC  +T(J)d^ 
1J  Yv 

♦  E  i 

J€E 

r 

V 

plse  =1,  e£  S 

\  U  U 

Since  subsets  E 

If 

and  E 

contain  only  ergodic 

IV 

l 

\ 

f 

have  from  Korolyuk’ s 

limit 

theorem 

[8]  : 

1,1 B  P{rd 

p  n  1  if  r 

■4 

d 

=  Pk  r 

|l  -  expf-A^t) 

eo  ^  k^ 

V  J 

1  V 

(2.  S ) 


(2.  9) 


which  is  independent  of  i.  Here, 


„  (k  )  (k  r  ) 
Y  n  l  q  l  v 

1€E 

*1 _ 

V,  "  l  *(Vq(Y 

l€E 

k 

1 


A  = 

kl 


_  (k  )  (k  ) 

E  n  i  qt  l 

i€E 

k 

I _ 

-  (k  )  (k  ) 

y  xt  i  a  i 

L-  i  i 

1€E 

k 

1 


(2. 10) 
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(2.  11) 


(k  r  )  —  (k  ) 

q  l  v  =  v  q  l  ; 

M  U  Hjj 

J€E 

r 

v 


(k  )  „  (k) 

qi  E  V 

)6E„ 

1 


a<ki'  =  £  a  p<ki'  ;  a  =  T  tF  (t) 

i  \  1JPU  U  l  U 

k 

1 


(2. 12) 


In  the  above,  i  represents  the  stationary  probability  distribution 

(k  )  (k  )  (k  ) 

in  the  imbedded  Markov-chain  defined  by  p  l  .  The  elements  p  l  and  q  i 

3  MJ  *IJ  Uj 

(k)  (k) 

are  respectively  the  p  and  q  terms  for  the  indices  i.jeE  . 

1J  iJ  k! 

The  probability  distribution  of  the  sojourn  time  for  transition  from 
E  to  E  through  the  transient  set  E  can  be  further  split  into: 

k  r  r 

1  V  t 


p{\?  * 

'  1  v  '  tv  '  It  > 


(2. 13) 


Here,  the  term  p  represents  the  probability  of  transition  from  the 
r  r 
t  v 

transient  set  E  to  the  subset  E  within  class  r  and  is  given  by: 
r  r 

t  V 

E  E  p[r' 

i€E  j€E  1 

K,  -  -  ^  J-  <-,  (214> 

1 '  El  E  p,  | 

v  i€E  JGE 

r  r 

t  v 

Proceeding  as  before  with  similar  notation,  we  obtain  for  the 
distribution  of  sojourn  time  starting  from  the  i-th  state  in  E  to  the  j-th 

l 

state  in  E  : 

r 

t 

p/t(1)  s  tl  =  £  p{sc  =1,  eC  +  T(J)  i  4 

l  k.rt  J  j€E  1  1J  iJ  k.rt  i 

k 

1 

+  E  p{<  ec  *  4  (2-15) 

jse  t  > 


Hence, 
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(2. 16) 


H'k  ‘  4 =  ,i  I  *  4  dpn(u) 


+  I 

J€E 

r 

t 


Taking  the  Laplace  transform  of  (2.16),  we  obtain 


(l)  ,  , 

\  r  <S) 
1  t 


i  r<»r  <s)  P'  ts)  *  i  i  P'  (si 

j€E  1  t  J€E  1 

K,  r 

1  t 


where, 


(2. 17) 


pu,s) 


e-st  dP*  (t) 


(2. 18) 


Recalling  (2.3)  and  (2.4),  after  simple  manipulations  it  can  be  shown  that: 


pij(s) 


(  <k  )  <k  )) 

-  lp.j‘  -cvJt 


.  )  (k  )1  f.  .  _ 

,1  -  eq^i  J  *  [l  -  esaijj  ; 


(2. 19) 


PU(S)  =  Cq[)l)  1  j€Er 


(2. 20) 


Substituting  these  expressions  in  (2.17),  we  get: 


( 1  >  /  ■,  v  (J)  ,  ,  (k  )  ~  1  (k  ) 

<p ,  (s)-  V  <p  (s)pi=eV'-qi 

Vt  J«  Vt  iJ  j€E  S  1J 

kl 


-  e 


£  (sa  p(V  +  q(ki>]  <p(J>  (s) 
J6E  l  1J  lJ  i  Vt 


(2.21) 


Passing  to  the  limit  as  c  0,  the  functions  ^(i>  (s)  are  found  to  satisfy  the 

k  r 
l  t 

system  of  equations: 


<l)r (s)  -  i  =  ° 

1  t  J€E  1  t  J 

k 

1 


(2. 22) 


It  follows  from  this  and  the  fact  that  the  Markov  chain  defined  by  the 
transition  probabilities  p'V,  i,jeEk  is  ergodic,  that  the  solution  of  the 
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system  is  independent  of  the  superscript,  i.e.  (s)  =  <p  (s)  V  leE 

k  r  k  r  k 

It  It  1 

(k  ) 

Multiplying  (2.21)  by  the  stationary  probabilities  7^  l  and  summing 
over  all  ieE  and  cancelling  e,  we  get: 

l 


-  (k  )  „  (  (k  )  (k  0  (J>  ,  % 

I  it  V  sa  p  l  +  q  i  (p  (s)  = 

U  1  u  I  lj*lj  r  k  r 

i€E  J€E  v  1  It 


(k  ) 


(k  ) 


1  €E 


ZV*.  I  tp  K 

rti  1  £  qn1 

'  r->  i  ^p*  J 


(2. 23) 


j€E 


On  passing  to  the  limit  e  0,  noting  that  all  the  * p(1)  (s)  have  the  limit 

it 

function  ©  (s),  we  obtain, 

k  r 
1  t 


i  .  1 

K  r (s)  =  pk  r  ;  s~nr 

It  It  kl 


(2. 24) 


which  is  independent  of  the  starting  state  i  in  .  Taking  the  inverse 

l 


transform. 


p/t  s  tl  =  p  1  -  exp(-A  t)l 

e  O  1  k  r  J  k  r.  kl  J 

t  1  t  J  It'’  • 


(2. 25) 


Here,  A  is  same  as  defined  in  (2. 10)  and, 

kl 


—  (k  )  (k  r  ) 

V  n  i  q  it 
u  i  l 

1€E 

k 

1 _ 

k  r  ~  (k  )  (k  ) 

It  T  71  1  q  1 

L,  t 

1€E 

k 

1 


(2.26) 


with. 


(k  r  )  „  (k  ) 

q  1  t  =  y  q  l 

M,  U  Mjj 

J€E 

r 

t 


(2.27) 


Hence,  the  probability  distribution  of  the  sojourn  time  from  the  set 


E  to  E  is  Independent  of  the  starting  state  and  is  given  by: 

1  rv 
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(2.28) 


c'o  P{\  r  *  ‘}  *  r  *  P«  r  P,  ,  )  '  ‘  “P'A.  ‘  >) 

'  1  v  t  '■lv  1  t  t  v'  v  ' 

This  is  a  general  result  that  is  valid  for  any  arbitrary  set  of 
classes  defined  by  (2.1).  In  this  sense  then,  this  result  is  an  extension  of 
the  results  reported  in  [7].  In  fact,  It  generalizes  the  approximate 
aggregation  results  to  essentially  all  fault  tolerant  system  models  in 
semi-Markov  form. 


2. 3.  Model  of  dual  redundant  system 

In  this  section,  a  semi-markov  model  is  developed  that  represents  the 
behavior  of  a  simple  dual  redundant  system.  This  model  is  identical  to  a 
model  considered  in  [7].  However,  the  construction  of  the  model  presented 
here  differs  from  the  model  construction  method  employed  in  [7]  and 
therefore  warrants  detailed  presentation.  The  next  section  will  discuss  the 
numerical  results  generated  for  this  model. 

Consider  a  dual  redundant  fault  tolerant  system  architecture  where  two 
identical  instruments  are  measuring  a  scalar  quantity  of  interest.  An 
instrument  is  deemed  to  have  failed  when  the  measurements  are  corrupted  by  a 
bias  error  sufficiently  large  to  cause  mission  failure  if  the  output  is  used 
in  the  control  scheme.  At  the  two  level  stage  where  both  instruments  are 
operational,  two  one-sided  sequential  ratio  detection  tests  (SRDT)  are  used 
to  detect  a  failure  [7].  If  the  SRDTs  simultaneously  arrive  at  a  decision, 
the  test  is  reset.  Depending  on  whether  SRDT  1  or  SRDT  2  arrives  at  a 
decision,  an  isolation  option  of  either  1  or  2  is  triggered.  In  either 
option,  two  sequential  probability  ratio  tests  (SPRT)  are  used  to  arrive  at 
an  isolation  decision  or  an  alarm  rejection  as  follows: 
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Isolation  Option  1: 


SPRT  1 

SPRT  2 

Decision 

Isolation 

Isolation 

Reinitiate  SPRT’ s 

Isolation 

Rejection 

Declare  instrument 

1  failed 

Rejection 

Isolation 

Declare  instrument 

2  failed 

Rejection 

Rejection 

Reject  SRDT  alarm 

Similar  isolation  options  following  the  triggering  of  SRDT  2  are  defined. 

Once  an  instrument  is  declared  faulty,  the  FDI  tests  are 
discontinued.  To  simplify  the  calculation  of  the  exact  results  required  for 
comparison  to  the  approximate  results  that  will  be  generated  later,  it  is 
assumed  that  all  tests  are  reset  after  five  time  samples,  which  reduces  the 
number  of  terms  in  the  numerical  convolution  sums  to  be  evaluated  to  a 
maximum  of  five.  For  isolation,  we  assume  that  an  independent  estimate  of 
the  scalar  quantity  of  interest  is  available  to  vote  between  the  two 
instruments. 

For  developing  the  semi-Markov  model  for  this  fault  tolerant 
architecture,  it  is  suggested  in  [7]  that  all  the  states  of  the  model  must 
be  enumerated  first,  based  on  the  FDI  logic  and  failure  event  occurence. 
Another  approach  is  to  start  with  a  state  characterized  by  all  working 
components  and  then  list  the  various  combinatorial  events  that  can  happen 
for  this  state  during  a  single  time  step.  This  method  is  more  efficient  and 
does  not  require  the  states  of  the  model  to  be  enumerated  apriori.  After 
considering  the  various  combinatorial  events  and  hence  the  possible  states 
for  the  model,  we  derive  the  core  matrix  elements  [9]  for  the  semi-Markov 
model.  The  core  matrix  elements  are  then  examined  to  see  whether  they 
represent  a  valid  probability  mass  function.  If  the  probability  masses  for 
transitions  out  of  a  particular  state  does  not  sum  to  one,  then  it  implies 
either  there  are  other  states  to  which  it  can  transition  to,  or  the  core 
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matrix  elements  for  transitions  from  this  state  are  in  error.  We  then 
suitably  modify  the  model  and  check  for  a  vaild  probability  mass  function. 
Thus,  the  construction  of  the  semi-Markov  model  in  general  becomes  a 
relatively  simple  trial  and  error  procedure. 

We  start  the  model  development  for  the  two  component  redundant  system 
from  a  state  that  rpresents  a  condition  with  all  components  available,  none 
failed  and  no  detection  alarm  present.  The  various  possible  events  that  can 
occur  during  one  time  step  are  as  follows: 

(1)  No  failure  but  SRDT  alarm  occurs. 

(2)  One  instrument  failed  and  correct  detection  alarm  occurs. 

(3)  One  instrument  failed,  detection  alarm  occurs  for  wrong  pair. 

(4)  One  instrument  failed  and  no  detection  alarm  occurs. 

Thus  by  considering  all  possible  combinatorial  events  from  a  known 
state,  we  have  enumerated  four  other  states  of  the  model.  We  then  proceed  as 
above  to  list  other  possible  states  for  the  model  from  these  known  states. 

For  this  FDI  scheme  with  the  given  architecture,  we  get  a  nine  state 
model.  The  nine  states  and  the  notation  used  to  represent  them  are  given 
below. 

1.  Two  instruments  available,  none  failed,  no  detection  alarm 
present,  SRDT" s  operating.  (2/0/0) 

2.  Two  instruments  available,  none  failed,  one  SRDT  detection 
alarm  present,  SPRT’ s  operating.  (2/0/D) 

3.  One  instrument  available,  one  eliminated  due  to  false 
isolation  [FDI  discontinued] .  (1G/FI) 

4.  Two  Instruments  available,  one  failed,  correct  detection  alarm 
triggered,  SPRT’ s  operating.  (2/F/C) 

5.  Two  instruments  available,  one  failed,  detection  alarm  present 
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for  wrong  pair,  SPRT’ s  operating.  (2/F/V) 

6.  Two  instruments  available,  one  failed,  no  detection  alarms 
present,  SRDT’ s  operating.  (2/F/Q) 

1.  One  good  instrument  available,  one  faulty  instrument  isolated 
[FDI  discontinued] .  (1G/F) 

8.  System  loss  due  to  one  failure  and  one  false  isolation. 

(SL/F/FI) 

9.  System  loss  due  to  two  failures.  (SL/2F) 

The  state  transition  diagram  for  this  model  is  given  in  Appendix  A. 

The  thick  lines  indicate  fast  transitions  while  the  dashed  lines  indicate 
slow  transitions.  The  self  loops  in  each  state  indicate  the  reset  mechanism 
incorporated  in  the  tests.  We  notice  that  some  of  the  states  in  this  model 
can  be  aggregated,  for  instance  states  8  and  9  which  represent  a  vehicle 
loss.  This  has  not  been  done  in  order  that  when  the  nine  state  model  is 
decomposed,  it  breaks  up  into  three  classes  with  the  inter-class  transitions 
taking  place  in  the  slow  time-scale  (of  order  c,  the  failure  rate  of  the 
components) . 

2.3.1.  Set  notation  used 

Before  deriving  the  core  matrix  elements  we  present  the  set  notation 
used  to  represent  the  various  events  associated  with  the  model. 


F1 

m 

A  failure  of  instrument  i  at 

time 

sample  m 

F1 

m 

No  failure  of  instrument  i  at 

time 

sample  m 

Dl 

ro 

A  failure  indication  by  SRDT 

for 

instrument 

i 

at 

time 

sample  m 

D1 

m 

No  decision  available  from 

SRDT 

on  instrument 

i  at 

time  sample  m 

Rl 

m 

Rejection  of  alarm  by  SPRT 

for 

instrument 

i 

at 

time 
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sample  m 

I1  Isolation  decision  by  SPRT  for  instrument  i  at  time 
m 

sample  m 

fl  Denotes  the  intersection  of  events 

U  Denotes  the  union  of  events 

It  is  assumed  in  the  development  of  the  semi-Markov  model  that  all  of 
the  events  are  statistically  independent.  A  complete  statistical  description 
of  the  SRDT  and  SPRT  used  in  the  FDI  scheme  requires  knowledge  of  the 
conditional  probability  mass  functions  (pmf)  of  the  time  to  decision  of  the 
sequential  tests.  The  following  functions  are  used  to  describe  the  behavior 
of  the  sequential  tests. 

f°(-)  pmf  for  detection  given  no  failure  is  present  for  SRDT 

f*(*)  pmf  for  detection  given  failure  is  present  for  SRDT 

f°(-)  pmf  for  detection  given  no  failure  is  present  for  SPRT 

f°(-)  pmf  for  rejection  given  no  failure  is  present  for  SPRT 

R 

f|(-)  pmf  for  detection  given  failure  is  present  for  SPRT 

f*(-)  pmf  for  rejection  given  failure  is  present  for  SPRT 

R 


The  above  pmf’s  can  be  expressed  in  the  event  notation  as  follows: 

tn  -  1  i  m-1 


/  m - 1  m-i  \ 

f°(m)  =  PHD1  n  D1  n  O 

d  1  m  1 1  d  '  1  k] 

v  k=  1  k  =  l  / 


(2.29) 


f  Cm)  =  Pr 
o 


/  m-l 

(d1  n  d1 

l m  kL\  - 


f  (m)  =  Pr 

R 


/  m-l 

Ir1  n  d1 
l  m  k=i  ■ 


r(m)  =  Pr 


t  m-l 

I1'  n  51 

\  m  k?i  ra 


m-l 


n 

k  =  l 


m-l 


n 

k  =  l 


(2. 30) 


(2. 31 ) 


(2. 32) 


f  (m)  =  Pr 

R 


K 


m-  1 

n 

k  =  1 


D1 

m 


(2.  33) 


18 


f*(m)  =  Pr/l1  n  D1  I  F‘l 

1  l  m  JJa  ■  I  °J 


(2. 34) 


An  important  observation  to  be  made  concerning  the  above  pmf’s  is  that 
the  fault  monitoring  event  at  time  sample  m  is  conditioned  on  the  failure 
events  that  take  place  prior  to  and  including  time  m-1.  Thus,  it  is  assumed 
that  there  is  a  delay  of  at  least  a  single  time  step  between  when  a  failure 
takes  place  and  when  it  is  detected. 

We  further  define  the  quantities  S^(m),  which  will  be  used  frequently 

in  the  derivation  of  the  core  matrix  elements. 

S1(m)  Probability  that  no  decision  has  been  reached  at  a 

o 

given  time  m  in  the  absence  of  a  failure  for  SRDT 
S*(m)  Probability  that  no  decision  has  been  reached  at  a 

given  time  m  in  the  presence  of  a  failure  for  SRDT 
Identical  quantities  for  the  SPRT  are  defined  with  the  superscripts  taking 
the  value  2  in  each  case. 

In  terms  of  the  event  notation  each  of  the  above  quantities  can  be 


expressed  as  follows: 


s>>  -  4:  V  |  V  p;}  ■ 

v  k  =  l  k=l  > 


(2. 35a) 


S1(m)  =  1  -  T  f°(k)  ;  mil 

o  D 

k  =  l 


(2. 35b) 


(  ®  *■*  1  I  \ 

S1  (m)  =  Pr-|Dl  n  D1  fH  ;  mil 

1  l  ■  k=1  ■  I  °J 


(2.36a) 


D 

S1 (m)  =  1  -  T  f 1 (k )  ;  mil 

1  D 


(2. 36b] 


S“(m)  =  1 

o 


-  i  [<>>  *  f>»]  • 

k  =  l  L  J 


(2. 37) 
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S“(m)  =  1-1  r(k)  +  f  (k)  ;  mfcl 

k  =  1  L  -I 


(2. 38) 


An  additional  assumption  made  in  deriving  the  model  is  that  the 
failures  exhibit  a  geometrically  distributed  time  of  occurence.  The 


probability  of  failure  e  over  a  single  time  step  can  be  expressed  as: 


r{F  I  F  1  = 

^  m  |  m-lj 


(2. 39) 


2.3.2.  Core  matrix  element  derivation 

We  now  proceed  to  derive  the  core  matrix  elements  for  the  semi-Markov 

model  of  the  dual  redundant  system.  To  be  concise,  we  indicate  the  steps 

involved  in  the  derivation  of  the  core  matrix  element  g^(-)  for  one  case 

and  give  the  final  expressions  for  other  cases. 

Let  us  examine  in  detail  the  core  matrix  element  g  (m),  i.e. ,a  reset 

n 

of  state  1.  A  reset  arises  at  time  m  if  no  failures  take  place  for  all  times 
prior  to  and  including  m,  the  chain  entered  state  1  at  m=0,  and  both  SRDT’ s 
indicate  a  detection  of  failure  at  time  m.  Since  it  is  assumed  that  the 


tests  are  reset  after  m=5,  we  have: 


gn(m)  =  Pr 


{[„?5 


pr{[°>Ci  53  ti,  — ]} 


(2.40) 


Noting  that  all  of  the  above  events  are  conditionally  independent, 
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*„<»>  -  Pr{  kn K }  H  J}K } Pp{  J}K  |  Vn } 


Pr{  n  K  |  "n'ft  } 

1  k  =  l  k  =  l  / 


m5 


r  m  \  /•  m  _  \  t  m-1  m-1  \ 

pr{  n  Fk  }  Pr{  n  Fk  }  Pr{  o'  n  K  n  f } 

v  k=l  '  v  k  =  1  /  v  15  =  1  k  =  l  ' 


(  m-1  m-1  \ 

Pr{D^  n  5k  n  pk  } 

'  k  =  l  k  =  1  > 


(2.41) 


Applying  the  definitions  for  the  pmf  and  using  the  notation  defined  earlier, 
we  can  simplify  (2.41)  to  yield: 


g^tm)  =  (1-e) 


2m 


[i  -  i 

L  k  =  l  J 


5  c  +  (1-e) 

m5 


2m 


[#■>]' 


(2.42) 


Consider  the  core  matrix  element  g^fm),  which  is  the  pmf  for  the  SPRTs 
to  arrive  at  a  no  failure  decision  given  no  failure  is  present.  This 
transition  occurs  when  either  SPRT  arrives  at  a  no  failure  decision  at  any 
time  prior  to  and  including  m  and  the  the  other  SPRT  decides  on  a  no  failure 
decision  at  instant  m  given  that  no  failures  are  present.  This  can  be 
represented  in  the  event  notation  as, 

i-m- 1 


8-‘")=Pr{fc  p:)[n  k  -ElLnn  f:]} 


.43) 


Using  the  conditional  independence  of  various  events  this  simplifies  to, 

,  2  m-1 


g2i(m)  =  (l-e)‘ 


+  2  f  (m) 

R 


If°Oc)' 

t=i  J 


(2. 44) 


Proceeding  along  similar  lines,  the  core  matrix  elements  for  other  cases 
are  summarized  below. 


21 


s44(”> 


g46(m) 

g47(ml 

g48(”’ 

g49(m) 

g41(») 


g 

g 

g 

g 

g 


56 


57 


58 


59 


51 


(m) 

(m) 

(m) 

(m) 

(m) 


=  (l-e)B[f1i(m)  £f°(k)+f°(m)  £f|(k)l 

L  k=l  k=l  J 

+  (l-e)njs2(m) [l-S2(m)J  +  S2(m) ^l-S2(m)Jj-S 

=  (l-e)m|"f*(m)  l  f°(k)  +  f°(m)  Yf>>l 
L  k  =  l  k  =  l  -I 

=  (l-e)m[f*(m)  £f°(k)  +  f°(m)  £f!(k)l 

II  R  R  I 

L  k=l  k=l  J 


=  (l-e)m[f*(m)  £f°(k)  +  f°(m)  *£  f*(k)l 

I  R  I  I  R  I 

L  k=l  k=l  J 

=  e(l-e)<n~1)/s*(m)[\-S*(m)j  +  S2(m)  |\-S2(m)j  J- 


=  0  ;  i=l, 2,3,5 


=  f°(m)  +  2  f°(m)  Y^k)] 

*-  k=l  1  -I 


+  2(l-e)“  S2(m) 
0 


m5 


(l-e)"*|f”(m)  f°(m)  +  2  f°(m) 

R  I 


m- 1 

Ef°U) 

k  =  l 


=  (l-e)m[f°(m)  Ef°(k)  +  f°(m)  E  f°(k)l 
I-  k  =  l  R  k  =  l  1  -* 

=  (l-e)m[f°(m)  £f°(k)  +  f°(m)  Yf°(k>] 

<-  k  =  l  k  =  l  J 


2(l-c)(°"1>  S 


=  o  ;  i=l . 4 


(2. 59) 

(2.60) 

(2.61) 

(2.62) 

(2. 63) 

(2.64) 

(2.65) 

(2.66) 

(2.67) 

(2.68) 

(2.69) 

(2.70) 
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(2.71) 


g,  (m)  =  (l-e)“  S1(m)  f*(m) 

64  0  D 


g  (m)  =  (l-c)m  S*(m)  f°(m) 

65  1  D 


(2. 72) 


gc  (m)  =  (l-e)m[s1(m)  S^m)  5  =  +  f°(m)  f^m)]  (2.73) 

66  |_  0  1  mS  D  D  J 


g  (m)  =  e(1-e)  <m_1)s’' (m)  S^m) 

69  0  1 


(2.74) 


g  (m)  =  0  ;  1=1, 2, 3, 7, 8 
6 1 


(2.75) 


g?7(m)  =  (l-e)5Bi 


(2.76) 


S7,ln,)  = 


(2. 77) 


g71(m)  =  0  ;  1*7,9 


(2. 78) 


*Wm)  =  5„i 


(2. 79) 


g  (m)  =  0  ;  1*8 

O  1 


(2. 80) 


g  (m)  =  6 
99  ml 


(2.81) 


g  (m)  =  0  ;  1*9 

91 


(2.82) 


The  numerical  values  used  for  S^(m)  In  computing  the  core  matrix  for 

the  dual  redundant  system  considered  in  the  example  are  given  below. 

S1  ( 1  )=0.  9895;  S* (2)=0.  9792;  S1  (3)=0.  9696;  S1  (4)=0.  9608;  S^^O^Sl 
0  0  0  0  0 

sj ( 1 )=0. 7862;  sj (2)=0.  5845;  sj  (3)=0. 3861;  S* (4)=0. 2012;  sj(5)=0.0199 

S2 ( 1 )=0. 7900;  S2(2)=0.  5845;  S2(3)=0. 3819;  S2 (4)=0. 1867;  S2(5)=0.0008 
0  0  0  0  0 

S2( 1 )=0.  7812; S2(2)=0. 5745;  S2(3)=0.  3721;  S2(4)=0. 1842;  S2(5)=0.0009 


The  decision  time  mass  functions  considered  for  the  SRDT’ s  give  P^a=0.047 

and  those  of  the  SPRT’ s  give  P,  =0.047  and  P  =0.02. 

°  fa  m 
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2.3.4  Decomposition  of  the  model 

The  semi-Markov  model  for  the  dual  redundant  fault  tolerant  system 
exhibits  fast  and  slow  transitions  between  various  states  and  can  be 
decomposed  into  different  classes  such  that  the  transitions  within  each 
class  are  all  in  the  fast  time  scale.  Class  1  comprises  states  1,2,  and  3  (1 
and  2  transient),  class  2  states  4, 5, 6, 7  and  8  (4,5  and  6  transient),  and 
class  3  state  9.  Class  2  contains  two  trapping  states  for  e=0  and  hence  is  a 
non-ergodic  class. 

2.  4  Modif ied  ALgorithm  f or  Generating  Numerical  Results 

Earlier  results  based  on  Korolyuk’s  limit  theorem  for  semi-Markov 
chains  approximate  the  aggregated  state  model  after  time  scale  decomposition 
by  a  homogeneous  Markov  chain.  The  inter-class  transition  rates  are  derived 
from  (among  other  things)  the  invariant  distribution  in  each  class. 

Many  states  in  a  FTCS  model  lacking  on-line  repair  are  transient.  When 
these  transient  states  have  large  holding  times,  considerable  error  in  the 
asymptotic  approximation  for  the  original  semi-Markov  model  results  over  the 
time  scales  of  interest.  Furthermore,  in  some  cases,  occupation  of  these 
states  is  the  only  means  by  which  some  of  the  interclass  transitions  can 
occur.  In  these  cases,  the  class  probability  approcimations  can  also  be  in 
considerable  error. 

One  of  the  key  results  of  the  research  during  the  period  of  the  grant 
is  the  development  of  a  modified  algorithm  to  account  for  inter-class 
transitions  from  transient  states  with  long  holding  times.  In  this 
algorithm,  a  non-homoger.eous  aggregated  Markov  chain  is  used  to  evaluate  the 
class  probabilities  after  decomposition.  The  time  varying  transition  rates 
for  this  Markov  chain  are  derived  taking  into  account  contributions  from  the 
transient  states.  This  leads  to  a  more  complex  algorithm  for  approximating 
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the  state  probabilities,  but  considerable  improvement  in  the  accuracy  of  the 
approximations  is  the  result.  See  Appendix  A  for  details. 

The  modified  algorithm  was  investigated  by  applying  it  to  the 
dual-redundant  FTCS  model  derived  in  the  preceding  section.  Comparison  of 
the  numerical  results  from  the  two  asymptotic  approximations  are  discussed 
in  appendix  A.  Since  the  nine  state  model  considered  in  the  example  is 
representative  of  FTCS  models,  the  results  are  quite  encouraging. 

It  is  interesting  to  note  that  when  the  earlier  limit  theorem  is  used, 
there  is  100%  error  in  the  estimates  of  the  occupancy  probabilities  for  all 
the  transient  states  and  significant  error  in  the  class  probabilities  as 
well.  However,  using  the  modified  algorithm  mentioned  above,  the  transient 
states  are  better  approximated  with  class  probability  errors  within  10%. 

This  is  a  significant  improvement  over  the  earlier  methods  and  makes  this 
technique  a  valuable  tool  for  evaluation  of  FTCS  designs. 
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3.  SUMMARY  OF  SIGNIFICANT  FINDINGS  AND  FUTURE  WORK 


3. 1  Significant  Findings 

The  work  during  the  grant  period  produced  two  key  findings.  They  are: 

1.  The  extension  of  the  approoximate  aggregation  results  to  decomposed 
classes  that  contain  multiple  trapping  states.  (See  section  2.2.) 

2.  The  development  of  the  modified  algorithm  that  accounts  for 
interclass  transitions  from  transient  states  with  long  holding 
times.  (See  sections  2.3  and  2.4  and  Appendix  A. ) 

The  first  of  these  findings  is  significant  because  it  implies  that 
approximate  aggregation  can  be  applied  to  a  broad  range  of  semi_markov 
reliability  models  of  fault  tolerant  systems.  The  second  finding  is 
significant  because  the  modified  algorithm,  while  introducing  another  source 
of  error,  leads  to  significantly  more  accurate  numerical  results  for  models 
that  include  transient  states  with  very  long  holding  times  within  the 
decomposed  classes. 

3. 2  Future  Work 

A  proposal  has  been  submitted  to  AFOSR  to  continue  this  work.  The  focus 
of  the  continuation  of  the  work  is  to  extend  the  class  of  models  to  which 
the  modified  algorithm  can  be  applied.  Also,  the  proposed  effort  will  begin 
to  examine  fault  tolerant  systems  from  a  control  system  performance 
viewpoint,  a  viewpoint  which  has  been  secondary  to  our  reliability 
evaluation  work.  Finally,  we  will  attempt  to  examine  more  complex  models  of 
fault  tolerant  systems. 
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ABSTRACT 

Reliability  models  of  fault  tolerant 
control  systems  (FTCS)  are  described  by 
semi-Markov  models  when  sequential  tests 
are  used  for  failure  detection  and 
identification  (FDI).  The  transient 
analysis  of  these  semi-Markov  chains  are 
of  interest  because  the  steady  state 
behaviour  is  trivial.  The  relatively 
rare  occurence  of  the  failure  events 
compared  to  the  fast  decisions  by  the 
FDI  tests  allow  time-scale  decomposition 
of  these  models.  This  leads  to  an  aggre¬ 
gated  state  model  which  is  approximately 
Markovian  in  character  in  the  limit  when 
the  failure  rates  approach  zero.  An 
aggregate  non-homogeneous  Markov  model 
is  considered  over  the  transient  period 
of  interest  and  an  algorithm  to  compute 
the  transition  rates  from  the  aggregated 
states  is  described.  From  the  aggregated 
model,  the  state  probability  distribu¬ 
tion  of  the  original  semi-Markov  model 
can  be  derived  by  a  disaggregation  step. 

1.  INRODUCTION 

A  fault-tolerant  system  architecture 
is  described  by  a  redundant  set  of 
components  and  a  redundancy  management 
(RM)  algorithm  to  reconfigure  the  system 
when  failures  occur.  These  failures  typ¬ 
ically  occur  ?  :  a  relatively  slow  rate 
compared  to  the  RM  decision  events.  The 
RM  decisions  are  made  based  on  FDI  tests 
on  output  signals  of  interest.  Since  the 
FDI  tests  operate  in  a  noisy 
environment,  to  keep  the  decision  errors 

low  (typically  of  order  10  2  to  10~3  per 
test)  these  tests  are  often  sequential 
in  nature.  Such  sequential  tests  have 
non-exponential  holding  tiroes  before  a 
decision  is  made.  This  gives  rise  to 
semi-Markov  models  for  the  FTCS 
reliability  models  [1]. 

A  semi-Markov  chain  is  characterised 
by  a  discrete  set  of  states  and  an 
arbitrary  distribution  of  the  holding  or 
sojourn  time  for  each  transition.  The 
semi-Markov  chain  specialises  to  a 
Markov  chain  when  the  holding  times  are 
geometrically  and  identically  distribut¬ 
ed  for  all  transitions  exiting  a 
particular  state. 

In  any  FTCS  design  the  designer  must 
choose  the  thresholds  for  the  FDI  tests. 
These  thresholds  govern  the  probability 
of  false  alarms  (Pfa)  and  the 

probability  of  missed  detection  (Pm)  for 

each  execution  of  the  test.  To 
investigate  whether  the  thresholds  are 
acceptable,  one  needs  efficient  but 


computationally  simple  techniques  to 
evaluate  the  reliability  of  the  system 
over  a  desired  mission  time.  Since  such 
designs  are  iterative  in  nature,  it  is 
imperative  that  the  computational  scheme 
be  as  simple  as  possible.  The 
approximate  reliability  evaluation  of 
semi-Markov  models  proposed  in  this 
paper  is  designed  specifically  to 
address  the  above  issue.  The  results 
derived  in  the  sequel  are  applied  to  a 
representative  FTCS  architecture  and  the 
approximate  results  are  compared  with 
the  exact  results  obtained  by  solving 
numerically  for  the  interval  transition 
probability  matrix  ®(n). 

Many  methods  exist  for  evaluating 
the  steady  state  behaviour  of  semi- 
Markov  chains  [2].  However,  most  FTCS 
models  contain  one  or  mere  trapping 
states  (such  as  the  system  loss  state) 
and  hence  the  steady  state  behaviour  is 
trivial  and  not  of  interest.  In  order  to 
evaluate  the  reliability  of  the  FTCS 
over  the  time  period  of  interest,  the 
interval  transition  probability  matrix 
®(n)  of  the  transient  semi-Markov  model 
must  be  computed  [2].  The  computation  of 
®(n)  involves  convolution  sums  and  hence 
is  memory  and  computation  intensive 
[3,4].  The  time  step  'n'  over  which  ®(n) 
must  be  evaluated  is  often  very  large  in 
an  absolute  sense  but  short  in 
comparison  with  the  mean  time  between 
failures  (MTBF)  of  the  components. 

Other  schemes  for  transient  analysis 
based  on  time-scale  decomposition  of 
original  model  into  fault-handling  and 
fault-occurence  sub-models  have  been 
proposed  [5,6].  In  [5]  techniques  are 
described  for  multi-processor  systems 
where  FDI  tests  are  single  sample  tests 
that  give  rise  to  Markov  models.  In  [6] 
the  presence  of  non-exponential  sojourn 
times  in  the  states  are  considered  and 
an  extended  stochastic  Petri  Net  model 
is  used  for  the  fault-handling  behaviour 
while  a  non-homogeneous  Markov  chain  is 
used  for  possibly  non-Poisson  fault- 
occurence  behaviour.  However,  the 
presence  of  false  alarms  in  developing 
the  fault  handling  sub-models  is  not 
taken  into  consideration. 

In  the  technique  proposed  here  we 
consider  only  constant  failure  rates  but 
arbitrary  sojourn  times  in  the  various 
states  and  also  take  into  consideration 
the  probability  of  false  alarms. 

The  paper  is  organised  as  follows. 
In  section  2,  the  previous  work  in  this 
area  and  existing  limit  theorems  for 
semi-Markov  chains  are  discussed.  In 
section  3,  an  algorithm  for  approximat- 


2653 


ing  the  transient  behaviour  of  the 
original  model  is  developed.  Section  4 
describes  the  application  of  the 
proposed  technique  to  a  two  component 
redundant  system  architecture  that  uses 
sequential  tests  for  failure  detection. 

2.  BACKGROUND 

Earlier  results  have  been  based  on 
Korolyuk's  limit  theorem  for  semi-Markov 
chains  [7],  which  approximates  an 
aggregated  state  model  by  a  homogeneous 
Markov  chain.  The  original  semi-Markov 
model  is  decomposed  into  various  classes 
where  each  class  contains  a  group  of 
states  characterised  by  an  identical 
number  of  failures.  For  instance,  class 
1  contains  all  states  with  no  failures, 
class  2  contains  all  states  with  one 
failure,  etc.  The  inter-class  transiti¬ 
ons  take  place  in  a  slow  time-scale  at  a 
rate  of  order  e,  the  failure  rate  of  the 
components.  It  has  been  shown  that  the 
aggregate  class-to-class  transitions 
have  exponential  sojourn  times  when  the 
embedded  Markov  chain  in  each  class  for 
c=0  is  ergodic  [7].  In  [8],  the  invari¬ 
ant  distribution  in  each  class  of  the 
aggregate  model  is  used  to  derive  class- 
to-class  transition  rates.  One  difficul¬ 
ty  with  such  a  technique  for  FTCS  is 
that,  for  systems  that  lack  on-line 
repair  capability,  many  of  the  states  in 
each  class  are  transient.  When  the 
original  semi-Markov  model  probability 
distribution  vector  is  recovered,  the 
estimates  for  the  transient  states  are 
zero  [4].  These  states  may  have  large 
holding  times,  which  in  the  original 
model  may  be  of  the  order  of  the  mission 
time,  and  hence  approximating  their 
probabilities  by  zero  may  not  be  valid. 
Futhermore,  in  some  cases,  occupation  of 
these  states  is  the  only  means  by  which 
some  of  the  interclass  transitions  can 
occur.  In  these  cases,  class  probabili¬ 
ties  can  also  be  considerably  in  error. 

Another  drawback  of  the  technique  in 
[8]  is  that  the  approximation  is  valid 
only  if  the  embedded  Markov  chain  in 
each  class  is  ergodic.  This  means  that 
each  class  must  contain  exactly  one 
irreducible  closed  subset  of  positive 
persistent  aperiodic  states  [9],  Many 
FTCS  architectures  give  rise  to  non- 
ergodic  classes  when  the  time-scale 
decomposition  is  used.  A  modified  algor¬ 
ithm  is  presented  in  [4]  that  relaxes 
this  condition  for  some  of  the  classes. 

In  section  3,  we  present  an  algori¬ 
thm  that  gives  good  approximations  for 
state  probability  distributions  of 
semi-Markov  models  and  also  relaxes 
ergodicity  condition  for  all  classes. 

First,  we  summarize  the  results  in 
[8]  and  introduce  notation  used  in  the 
later  sections. 

2.1  Limit  Theorem  For  Semi-Harkov  Chains 
Let  the  set  E  of  states  of  the 
semi-Markov  chain  be  expressible  as  a 
union  of  disjoint  classes: 


E=  IE, 


^{l,2,..,R} 


Let  1  be  the  sojourn  time  of  the 
semi-Markov  chain  in  class  E^  when  it 
starts  from  state  ieE^  and  moves  to 
class  Er  where  r *k.  Suppose  the  follow¬ 
ing  two  conditions  hold  for  the  semi- 
Markov  chain  E: 

1.  The  elements  of  the  core  matrix 
sequence  jg^j(n)  I  i,jeE|  specifying  the 

semi-Markov  chain  depend  as  follows  on 
the  small  parameter  e: 


s!j(n|  -  p'j  hij(  i  ) 


where  h^j(n)  is  the  holding  time  mass 
function  for  a  transition  from  state  i 
to  state  j  and  h^. (0)=0.  The  p^.  can  be 

expanded  in  a  Taylor  series  about  e=0. 
Retaining  terms  that  are  linear  in  c: 

c  fp^  -cq^  +0(C)  if  i,jeEk 

^ j  fk)  ( 3 ) 

cqjj  +0(C)  if  ieE^and  j«Ek 

The  embedded  Markov  chain  for  c=0  obeys 
the  usual  Markov  chain  properties: 

Ep]^)=l;  and  pj^*tO,l]J  V  keM  (4) 
j€Ek  ■> 

Here  cqjV ,  i,je Ek  are  probabilities  by 
which  the  Markov  chain  defined  by  £pjVj 
is  defective  if  the  c-dependent  transi¬ 
tions  are  taken  into  account,  and  cq!k.’, 
ieEk,  j* Ek  are  c-dependent  out  of  class 

transition  probabilities. 

2.  The  embedded  Markov  chains  defined 

by  the  matrices  jpj **  li ,  jeEk  V  keMj  are 
ergodic  with  stationary  distribution 

Ms5  |i€Ek v  *«»*}• 


C  C 
where: 


men  ; 

lim  Pr(rKr3tj=rhr{l-exp(-Xht/T)}  (5) 


r  „Wq!*r> 

-I6E  lS 
-l€E  lS 

k 


Le  k"l 


(*)_(*) 
»  Q  f 


(Ot) 
is  j 
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Here: 

q(kr)  -  Zqfk) 

r 

(8) 

qf>  =  I  q{5> 

(9) 

t<*>  =  z  P-(k)  x.  • 

1  2->  2-> 
k 

(10) 

00 

*ij  8  hij(n) 

n=0 

(11) 

For  proof,  we  refer  the  reader  to  [4]. 

If  we  consider  a  discrete  state 
continuous  time  semi-Markov  chain  with 


probability  transition  matrix  [pEj(t)], 

i,jeE,  and  holding  time  cumulative 
distribution  functions  F^.  (t/c)  depend¬ 
ing  on  the  small  parameter  e,  then  iden¬ 
tical  results  can  be  derived  [4].  We  now 
proceed  to  derive  our  algorithm  for 
approximating  the  state  probability  vec¬ 
tor  of  the  original  semi-Markov  model. 


3.  MODIFIED  ALGORITHM 
An  interesting  aspect  of  many  FTCS 
without  on-line  repair  capability  is 
that  the  inter-class  transitions  take 
place  in  an  hierarchical  manner  with 
transitions  from  each  class  leading  to  a 
more  degraded  class,  with  the  last  class 
a  trapping  class.  This  implies  that: 


qlkr)=qlk)  V  ie E.  if  k — >r  (12) 

1  1  A 

and, 

,  f  1  if  k — >r  .... 

7k r  \  0  otherwise  '  1 

where  k — >r  implies  that  there  exist 
transitions  from  class  k  to  class  r. 

In  [4]  the  invariant  distribution  in 
each  class  is  used  to  compute  the  inter¬ 
class  transition  rates  A^.  It  is  clear 

from  the  results  in  [4]  that  the  transi¬ 
tion  rates  from  the  classes  ultimately 
converge  to  this  after  the  invariant 
distribution  in  each  class  is  establish¬ 
ed,  but  may  be  different  over  a  transi¬ 
ent  period  that  can  be  quite  large. 
Hence,  it  is  intuitively  clear  that  if 
we  are  in  a  position  to  characterise  a 
time  varying  A^  for  the  transitions,  we 

can  get  better  approximations  for  the 
results.  One  way  to  achieve  this  is  to 
define  a  time-varying  ( Jc)  that  depends 

on  the  probability  distribution  over  the 
transient  period  in  each  class  so  that 
out  of  class  transitions  from  the  trans¬ 
ient  states  are  given  due  importance. 
This  will  give  rise  to  a  non-homogeneous 
Markov  chain  for  the  aggregate  model.  To 
reduce  the  complexity  of  solving  a 
non-homogeneous  Markov  chain,  we  assume 
transition  rates  are  stepwise  constant 
over  the  desired  time  interval. 

We  first  define  the  notion  of 


step-size  for  the  algorithm  that  we  will 
discuss  later.  Let  'm'  be  the  desired 
time  step  at  which  the  reliability  of 
the  system  is  to  be  evaluated.  We 
sub-divide  m  into  N  intervals  each  of 
size  m/N.  We  refer  to  the  time  interval 
m/N  as  the  step-size  of  the  algorithm. 
Notice  that  if  the  holding  time  in 
transient  states  in  each  class  are  very 
small  compared  to  the  time  interval  m, 
then  the  approximation  in  [4]  of  using 
constant  A^  over  the  entire  interval  is 

valid.  The  violation  of  this  assumption 
in  most  FTCS  models  is  the  motivation 
behind  our  modified  algorithm. 


As  discussed  above,  to  incorporate  a 
time-varying  transition  rate  we  need  to 
evaluate  the  probability  distribution  in 
each  class  at  various  time  steps  for  the 
case  c=0.  In  trying  to  do  this,  we  are 
faced  with  the  difficulty  that  the  vari¬ 
ous  classes  can  be  semi-Markov  and  hence 
this  probability  distribution  can  depend 
upon  the  time  at  which  the  class-to- 
class  transitions  occur,  which  is  not 
known.  Apart  from  this,  solution  of 
semi-Markov  models  in  each  class  is  not 
attractive  even  though  solution  of  such 
reduced  order  models  is  computationally 
feasible.  An  engineering  approximation 
to  overcome  this  drawback  is  to  solve 
the  reduced  order  semi-Markov  model  for 
class  1  and  then  compute  the  c -dependant 
transition  probabilities  to  class  2  to 
determine  the  probability  distribution 
in  this  class.  Making  use  of  the  assumed 
hierarchical  nature  of  the  FTCS  model, 
we  then  proceed  to  compute  the  distribu¬ 
tions  in  other  classes  in  the  same 
manner  once  the  probability  distribution 
in  the  previous  classes  is  known. 

The  algorithm  to  compute  the  approx¬ 
imate  probability  distribution  vector  at 
the  desired  time  step  m  is  given  below. 
3.1  Aggregation  step 

Let  nsm/N  be  the  step-size  of  the 
algorithm  and  let  k/n=l , 2 , . . . , N .  Let 

n!1,(k)  be  the  probability  of  occupying 

*  A,  W 

the  i  state  within  class  1  when  e=0. 
As  pointed  out  earlier,  this  can  be 
obtained  by  solving  the  transient  semi- 
Markov  model  of  class  1.  The  approximate 
probability  distribution  in  other 
classes  are  computed  as  follows. 

For  keS^lm, 2n, . . . ,Nnl  and  v=\ , 2 ,  . . . , R-l 


ern (k)=  £  nT (k)qji/?ji ;i6Ev.. (14) 
W-p!1'*11  (k)/  Z  pjl'4,,(X)  (15) 


,  ( V+\  ) 


(k)  =£ *  (k-n)  +  Z  Sr” 

J€Ev.t 


(k-n)* 


<p^i<'*,,<k)-<ri,<k-n)  (i6> 
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ir!*'*1’ (k) (k)/  Z  c!VM,(k)  (17) 

,€Ev.i 

where  (p v) ji  is  (j,i)th  element  of  the 

matrix  ^pj^*i)jm/N  and  the  initial 
conditions  are: 


CjW+!’(0)=0  (18) 

C]V<1,(0)=0  (19) 

The  new  transition  rates  of  the  non- 
homogeneous  Markov  chain  are  determined 
as  follows: 

x”  (k)  =  .  5*  |x^(k)  +7.^  (m)  j ;  VkeS  &  veM  (20) 
where  A^fk)  is  evaluated  as  in  (7)  with 

niV  rePlaced  by  rrj^fk}.  Notice  that 
for  v*l,  we  need  not  store  nj1^  (k)  Vk  if 
we  compute  at  each  step,  X^(k)  VveM.  The 

averaging  done  in  eguation  (20)  gives  a 
simple  heuristic  algorithm  to  account 
for  transitions  from  transient  states 
during  the  mission  time  of  interest.  The 
probability  transition  matrix  at  the 
desired  time  step  'm'  is  then  determined 
from, 

P (m) =exp  (A**e  *n)  (21) 

where, 

N 

A*=  I  \  (22) 

k=  1 

Here,  Afc  is  the  transition  rate  matrix 
of  the  Markov  chain  [2],  given  by, 

Ak=A(k)*(r-l)  (23) 

where  A(k)  is  a  diagonal  matrix  with 
elements  x"(k),  r=[ryr]  and  I  is  the 

identity  matrix. 

3.2  Disaggregation  step 

From  the  approximate  probability 
transition  matrix  P(m)  the  probability 
distribution  vector  of  the  aggregate 
model  at  the  desired  time  step  can  be 
determined  from  the  known  initial 
condition.  We  denote  its  elements  by 
p i (m) ,  teM .  The  state  probability 

distribution  of  the  original  model  are 
approximated  at  the  disaggregation  step 
as  follows: 

t,'”  (m)=pi(m)*7i'1)(m)  ;  VieM  &  VJeEi(24) 


n'"(m)=7|(,,(m)/  IutU(m)  (25) 

3  3  i .  J  3 

where  n’n(m)  are  the  elements  of  the 

probability  distribution  vector  of  the 
original  semi-Markov  chain. 


4.  NUMERICAL  EXAMPLE 
The  proposed  technique  is  applied  to 
a  two  component  redundant  system  that 
uses  sequential  tests  for  FDI.  At  the 


two  level  stage  where  both  instruments 
are  operational,  two  one-sided  sequenti¬ 
al  ratio  detection  tests  (SRDT)  are  used 
to  detect  a  failure  (1).  If  the  SRDTs 
simultaneously  arrive  at  a  decision,  the 
test  is  reset.  Depending  on  whether  SRDT 
1  or  SRDT  2  arrives  at  a  decision,  an 
isolation  option  of  either  1  or  2  is 
triggered.  In  either  option,  two  sequen¬ 
tial  probability  ratio  tests  (SPRT)  are 
used  to  arrive  at  an  isolation  decision 
or  an  alarm  rejection.  Once  an  instrum¬ 
ent  is  declared  faulty,  the  FDI  tests 
are  discontinued.  To  simplify  the  calcu¬ 
lation  of  the  exact  results  required  for 
comparison,  it  is  assumed  that  tests  are 
reset  after  five  time  samples,  which 
reduces  the  number  of  terms  in  the 
numerical  convolution  sums  to  be 
evaluated  to  a  maximum  of  five. 

This  strategy  gives  rise  to  a  model 
with  nine  states: 

1.  Two  instruments  available ,  none 
failed,  no  detection  alarm  present, 
SRDTs  operating.  (2/0/0) 

2.  Two  instruments  available,  none 
failed,  one  SRDT  detection  alarm 
present,  SPRTs  operating.  (2/0/D) 

3.  One  instrument  available,  one 
eliminated  due  to  false  isolation  [FDI 
discontinued].  (1G/FI) 

4.  TVo  instruments  available,  one 
failed,  correct  detection  alarm 
triggered,  SPRTs  operating.  (2/F/C) 

5.  TVo  instruments  available,  one 
failed,  detection  alarm  present  for 
wrong  pair,  SPRTs  operating.  (2/F/W) 

6.  Two  instruments  available,  one 
failed,  no  detection  alarms  present, 
SRDTs  operating.  ( 2/F/O ) 

7.  One  good  instrument  available,  one 
faulty  instrument  isolated  [FDI 
discontinued ] .  (1G/F) 

8.  System  loss  due  to  one  failure  and 
one  false  isolation.  (SL/F/FI) 

9.  System  loss  due  to  two  failures. 

( SL/2F ) 

The  state  transition  diagram  for  this 
model  is  shown  in  Fig.  1.  The  thick 
lines  indicate  fast  transitions  while 
the  dashed  lines  indicate  slow  transi¬ 
tions.  When  behavioural  decomposition  of 
the  nine  state  model  is  done,  it  breaks 
up  into  three  classes  with  the  inter¬ 
class  transitions  taking  place  in  a  slow 
time-scale.  Class  1  comprises  states  1, 
2,  and  3  (1  £  2  transient),  class  2 
states  4, 5, 6, 7  &  8  (4,5  £  6  transient), 
and  class  3  state  9.  Class  2  contains 
two  trapping  states  for  c*=  0  and  hence  is 
a  non-ergodic  class.  The  decision  time 
mass  functions  for  the  SRDTs  were 
assumed  to  give  P^a».047  and  those  of 

SPRTs  to  give  P,  -.047  and  P  -.02.  The 
holding  time  mass  functions  h^j(n)  are 
computed  from  the  core  matrix  elements 

G  . 

g^j(n)  which  are  derived  as  indicated  in 
[33 .  The  matrices  [Pjj]-  j] >  and 
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c ase(2):  c  =  5x10 

The  matrices  for  case(Z)  are  given  in 
table  1  truncated  to  4  decimal  places. 

We  define  normalized  error  between 
the  exact  and  approximate  class 
probabilities  as  follows: 

n<  V)  _  O') 

Normalized  error=  **° - — -•pprox  (26) 

n 

exact 


where  n<wl  is  the  exact  probability 

exact 

distribution  in  class  i>eM  calculated 
numerically.  The  normalized  error  for 
different  class  probabilities  using  the 
above  algorithm  for  both  cases  consider¬ 
ed  is  shown  in  Fig.  2-7.  We  notice  that 
the  normalized  error  in  all  the  classes 
is  less  than  0.1  (except  in  one  case) 
at  the  desired  time  step  of  interest  and 
the  error  decreases  as  the  step-size 
decreases . 

A  comparison  of  the  exact  state 
probabilities  at  the  desired  time  step 
with  the  approximate  probabilities  deri¬ 
ved  from  (i)  the  algorithm  presented 
here  and  (ii)  the  algorithm  given  in  [8] 
is  shown  in  table  2.  A  modified  version 
of  the  algorithm  presented  in  [4]  to 
treat  non-eraodic  classes  is  used  to 
derive  the  approximate  probabilities  in 
case  (ii) . 


4.1  Discussion  of  results 

From  table  2,  we  infer  that  there  is 
always  100%  error  between  the  exact  and 
approximate  probabilities  for  transient 
states  using  the  algorithm  given  in 

[4],  Also,  the  class  3  probability  is 
always  approximated  as  zero  implying  a 
100%  error  also  exists  in  one  of  the 
class  probabilities.  The  reason  for  this 
is  that  the  transient  states  in  class  1 
have  large  holding  times  that  are  of  the 
order  of  the  mission  time  of  interest, 
whereas  in  [4]  it  is  assumed  implicitly 
that  holding  times  are  negligible 
relative  to  the  mission  time.  Such 
holding  time  mass  functions  are  not 
unusual  in  FTCS  design  when  we  try  to 
keep  the  probability  of  a  false  alarm 
and  a  false  isolation  very  small,  as  is 
desirable. 

The  numerical  example  presented  here 
is  typical  of  many  FTCS  architectures. 
The  good  approximation  of  the  results 
indicates  the  usefulness  of  the 
algorithm  for  approximate  reliability 
evaluation.  Comparing  the  exact  state 
probabilities  with  those  computed  using 
the  approximate  technique  presented 
here,  we  infer  that  the  results  agree 
well  for  small  c  over  large  mission 
times  which  are  still  considerably 
smaller  than  the  MTBF  of  the  components. 

However,  from  Fig.  2-7  it  is  noticed 
that,  although  the  normalized  error 
becomes  smaller  as  the  step-size  decrea¬ 
ses,  the  convergence  of  the  algorithm  is 


not  asymptotic.  Hence,  an  optimum  choice 
for  the  step-size  is  not  clear.  A  good 
choice  depends  on  the  mission  time  of 
interest,  and  the  step-size  can  be  large 
for  large  mission  times.  One  rule  of 
thumb  is  to  choose  n=50  to  100.  This 
gave  good  approximations  in  most  cases 
investigated  in  this  work. 

5.  CONCLUSION 

An  algorithm  for  approximate  evalua¬ 
tion  of  the  state  probability  vector  of 
a  semi-Markov  process  governed  by  widely 
different  transition  rates  has  been 
presented.  The  method  was  used  to 
evaluate  the  reliability  of  a  represen¬ 
tative  FTCS  architecture  and  the  superi¬ 
ority  of  the  scheme  over  that  in  [4]  has 
been  demonstrated.  Also,  the  scheme  is 
applicable  to  systems  that  contain 
classes  with  more  than  one  recurrent 
chain  when  the  behavioural  decomposition 
is  used.  It  is  noticed  that  the 
approximation  is  better  when  the  time 
scales  are  distinct  and  the  step-size  cf 
the  algorithm  is  small.  The  sensitivity 
of  the  scheme  to  the  time  scale 
separation  and  order  of  the  failure  rate 
c  remains  to  be  investigated. 

The  primary  contribution  of  the 
paper  is  the  extension  to  mere  general 
classes  of  systems  that  cannot  be  handl¬ 
ed  by  the  scheme  in  [4,8]  and  better 
approximation  of  the  transient  state 
probabilities  of  the  original  model  that 
might  have  large  holding  times. 
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Table  1 


[Pij]  = 


hij]  = 


Fij> 


0.9087 

0.9067 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 


0913 

0039 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 


0.0 

0.0894 

1.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 


0.0 

0.0 

0.0 

0.0478 


0.0 

0.0 

0.0 

0.0 


0.0 

0.0 

0.0 

0.0181 


0.0 
0.0 
0.0 
0.9332 


0.0 
0.0 
0.0 
.  0009 


9.0018 

0.5400 

0.0 

5.4293 

0.0271 

0.5449 

0.0 

0.0 

1.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

__0.0 

0.0 

0.0 

479989 

2.8341 

0.0 

3.7424 

4.2362 

3.6921 

0.0 

0.0 

1.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 

0.  ' 

0.0 

0.0 

0.0 

0.0  0.0039  0.9067  0.0447  0.0447  0.0 

0.9519  0.0199  0.0282  0. 

0  0. 

0  0.0 

0.0  0. 

0  0.0  1. 

0  0. 

0  0.0 

0.0  0. 

0  0.0  0. 

0  1. 

0  0.0 

0.0  0. 

0  0.0  0. 

0  0. 

0  1^0 

0913  0.0913 

9.4192  0.0 

0.0 

0.0~ 

5000  2.5000 

0.9067  0.0 

0.0 

0.0 

0.0  0.0 

0.0  0.0 

1.0 

0.0 

0689  0.0 

0.0232  1.1869 

0.0013 

1 . 5980 

0.0  0.0082 

1.6453  0.0436 

0.0436 

1.5951 

6481  0.0189 

0.0918  0.0 

0.0 

1.9370 

0.0  0.0 

0.0  1.0 

0.0 

1.0 

0.0  0.0 

0.0  0.0 

0.0 

0.0 

0.0  0.0 

0.0  0.0 

0.0 

0.0_ 

8341  2.8341 

2.9623  0.0 

0.0 

o.  o- 

3.0  3.0 

3.7424  0.0 

0.0 

0.0 

0.0  0.0 

0.0  0.0 

1.0 

0.0 

7270  0.0 

3.5445  3.7294 

3.4850 

2.4646 

0.0  4.2362 

3.7424  3.6921 

3 . 6921 

2.4721 

8977  1.9723 

4.2688  0.0 

0.0 

2 . 0206 

0.0  0.0 

0.0  1.0 

0.0 

1.0 

0.0  0.0 

0.0  0.0 

1.0 

0.0 

0.0  0.0 

0.0  0.0 

0.0 

1.0 

Table  2 

Comparison  of  exact  and  approximate  probabilities 


'Time  step 

Exact  results 

Approx,  results 

Approx,  results 

and  e 

(state  1  to  9) 

usinq  step-size=50 

using  scheme  [4] 

10,000 

0.000027684938 

0.000028037752 

0 

C=5*10~8 

0.000009194938 

0.000008243412 

0 

0.999432770000 

0.999434580306 

0.999500124979 

0.000000000047 

0.000000000021 

0 

0.000000000003 

0.000000000021 

0 

0.000000000156 

0.000000000241 

0 

0.000061669460 

0.000054278419 

0 

0.000468653400 

0.000474833582 

0.000499875021 

0.000000028905 

0.000000026245 

0 

15,000 

0.000027582208 

0.000027927991 

0 

C=5*10_8 

0.000009187481 

0.000008233990 

0 

0.999183050000 

0.999184825377 

0.999250281179 

0.000000000057 

0.000000000020 

0 

0.000000000003 

0.000000000 020 

0 

0.000000000156 

0.000000000236 

0 

0.000061654051 

0.000053300697 

0 

0.000718480390 

0.000725668978 

0.000749718820 

0.000000044321 

0.000000042689 

0 

10,000 

0.000033414812 

0.000016518806 

0 

0.000835702550 

0.000016518806 

0 

e= 5*10 

0.588035090000 

0.588829863265 

0.606530659712 

0.000006652044 

0.000000015147 

0 

0.000000329155 

0.000000015147 

0 

0.000003095837 

0.000000177613 

0 

0.036292407000 

0.039965861579 

0 

0.353017460000 

0.349653693105 

0.393436934028 

0.021775854000 

0.021528998622 

0 
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